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Automated  Software  Analysis 


Program 


v 


Automated 

Analysis 


Correct 


Incorrect 


Software  Model  Checking 
with  Predicate  Abstraction 


Abstract  Interpretation 
with  Numeric  Abstraction 


e.g.,  Microsoft’s  SDV 


e.g.,  ASTREE,  Polyspace 
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Turing,  1936:  “undecidable” 
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Turing,  1949  Alan  M.  Turing.  “Checking  a  large  routine”,  1949 

how  c*n  ono  chock  a.  routine  in  tho  oenoo  of  making  ouro  tliat  it  is  right? 


should  make  a  nuubor  of  dofinito  assertions  which  can  bo  chockod 
lodivlduttliy ,  and  froa  which  tho  corroctneas  of  tho  whole  programme  easily 
follows. 
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A  fully  automated  verification  framework  for  LLVM-based 
languages. 
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SeaHorn  Verification  Framework 


Program 


LLVM  bitcode 


Horn  Clause 


Encoding  =  {Small, 
Large} 


Precision  =  {Register, 
Pointer, 
Memory} 


Middle  End 


XCEX 

or 


Distinguishing  Features 

•  LLVM  front-end(s) 

•  Constrained  Horn  Clauses  to  represent  Verification  Conditions 

•  Comparable  to  state-of-the-art  tools  at  SV-COMP’15 
Goals 

•  be  a  state-of-the-art  Software  Model  Checker 

•  be  a  framework  for  experimenting  and  developing  CHC-based  verification 
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Related  Tools 


CPAChecker 

•  Custom  front-end  for  C 

•  Abstract  Interpretation-inspired  verification  engine 

•  Predicate  abstraction,  invariant  generation,  BMC,  k-induction 

SMACK  /  Corral 

•  LLVM-based  front-end 

•  Reduces  C  verification  to  Boogie 

•  Corral  /  Q  verification  back-end  based  on  Bounded  Model  Checking  with  SMT 

UFO 

•  LLVM-based  front-end  (partially  reused  in  SeaHorn) 

•  Combines  Abstract  Interpretation  with  Interpolation-Based  Model  Checking 

•  (no  longer  actively  developed) 
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SeaHorn  Philosophy 


Build  a  state-of-the-art  Software  Model  Checker 

•  useful  to  “average”  users 

-  user-friendly,  efficient,  trusted,  certificate-producing,  ... 

•  useful  to  researchers  in  verification 

-  modular  design,  clean  separation  between  syntax,  semantics,  and  logic,  . 

Stand  on  the  shoulders  of  giants 

•  reuse  techniques  from  compiler  community  to  reduce  verification  effort 

-  SSA,  loop  restructuring,  induction  variables,  alias  analysis,  ... 

-  static  analysis  and  abstract  interpretation 

•  reduce  verification  to  logic 

-  verification  condition  generation 

-  Constrained  Horn  Clauses 

Build  reusable  logic-based  verification  technology 

•  “SMT-LIB”  for  program  verification 
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SeaHorn  Usage 


>  sea  pf  FILE.c 

Outputs  sat  for  unsafe  (has  counterexample);  unsat  for  safe 
Additional  options 

•  --cex=t race. xml  outputs  a  counter-example  in  SV-COMP’ 15  format 

•  --track={reg,ptr,,mem}  track  registers,  pointers,  memory  content 

•  --step={large,small}  verification  condition  step-semantics 
-  small  ==  basic  block,  large  ==  loop-free  control  flow  block 

•  --inline  inline  all  functions  in  the  front-end  passes 

Additional  commands 

•  sea  smt  -  generates  CHC  in  extension  of  SMT-LIB2  format 

•  sea  clp  --  generates  CHC  in  CLP  format  (under  development) 

•  sea  lfe-smt  -  generates  CHC  in  SMT-LIB2  format  using  legacy  front-end 
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Verification  Pipeline 


front-end 
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Constrained  Horn  Clauses 

INTERMEDIATE 

REPRESENTATION 
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Constrained  Horn  Clauses  (CHC) 

A  Constrained  Horn  Clause  (CHC)  is  a  FOL 
formula  of  the  form 

8  V  .  (A/E  Pi[X,]  /E.../E  pn[Xn]  ->  h[X]), 
where 

•  A  is  a  background  theory  (e.g.,  Linear  Arithmetic,  Arrays, 
Bit-Vectors,  or  combinations  of  the  above) 

•  A  is  a  constrained  in  the  background  theory  A 

•  p1(  ...,  pn,  h  are  n-ary  predicates 

•  P|[X]  is  an  application  of  a  predicate  to  first-order  terms 
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Example  Horn  Encoding 


int  x  =  1; 
int  y  —  0; 
while  (*)  { 

x  —  x  +  y\ 

y  =  y  + 1; 

} 

assert(x  >  y); 


(1)  Po- 

(2)  pi(x,  y)  •<— 

p0,x  =  1,2/  =  0. 

(3)  p2(^,y)  Pi  (a,  y)  . 

(4)  p3(x,2/)  Pi  (a;,  2/)  • 

(5)  pi (x',  2/0  <~ 

P2  (x,2/), 
x'  =  x  +  y1 
y'  =  y  +  l. 

(6)  p4  <-  (x  >  y),p3(x,y). 

(7)  Perr  (x  <  y),p3(x,y). 

(8)  P4  <—  P4- 

(9)  -L  ^  Perr- 
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CHC  Terminology 
Rule 


head 


body 


constraint 


A. 


h[X]  A^[x7],...,  pn[Xn],  A> 


Query 


false  A  p^ pn[Xn],  A. 


Fact 

Linear  CHC 
Non-Linear  CHC 


h[X]  A  A. 

h[X]  A  p[X,],  A. 
h[X]  A  p^X^,...,  pn[Xn],  A. 


for  n  >  1 
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CHC  Satisfiability 


A  model  of  a  set  of  clauses  |  is  an  interpretation  of  each  predicate  Pi  that 
makes  all  clauses  in  |  valid 


A  set  of  clauses  is  satisfiable  if  it  has  a  model,  and  is  unsatisfiable 
otherwise 

A  model  is  A-definable,  it  each  p;  is  definable  by  a  formula  A;  in  A 
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Relationship  between  CHC  and  Verification 


A  program  satisfies  a  property  iff  corresponding  CHCs  are  satisfiable 

•  satisfiability-preserving  transformations  ==  safety  preserving 

Models  for  CHC  correspond  to  verification  certificates 

•  inductive  invariants  and  procedure  summaries 

Unsatisfiability  (or  derivation  of  FALSE)  corresponds  to  counterexample 

•  the  resolution  derivation  (a  path  or  a  tree)  is  the  counterexample 

CAVEAT:  In  SeaHorn  the  terminology  is  reversed 

•  SAT  means  there  exists  a  counterexample  -  a  BMC  at  some  depth  is  SAT 

•  UNSAT  means  the  program  is  safe  -  BMC  at  all  depths  are  UNSAT 


==r  Software  Engineering  Institute  Carnegie  Mellon  University 


Building  Verifiers  from  Comp  and  SMT 
Gurfinkel,  2015 

©2015  Carnegie  Mellon  University 


17 


FROM  PROGRAMS  TO 
CLAUSES 
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Hoare  Triples 


A  Hoare  triple  {Pre}  P  {Post}  is  valid  iff  every  terminating  execution  of  P 
that  starts  in  a  state  that  satisfies  Pre  ends  in  a  state  that  satisfies  Post 

Inductive  Loop  Invariant 

Pre  )  Inv  {Inv/EC}  Body  {Inv}  lnv/E:C  )  Post 

{Pre}  while  C  do  Body  {Post} 


Function  Application 

(Pre/Ep=a) )  P  {P}  BodyF{Q}  (Q/Ep,r=a,b) )  Post 

{Pre}  b  =  F(a)  {Post} 


Recursion 

{Pre}  b  =  F(a)  {Post}  '  {Pre}  BodyF  {Post} 
{Pre}  b  =  F(a)  {Post} 


==r  Software  Engineering  Institute  Carnegie  Mellon  University 


Building  Verifiers  from  Comp  and  SMT 
Gurfinkel,  2015 

©2015  Carnegie  Mellon  University 


19 


Weakest  Liberal  Pre-Condition 


Validity  of  Hoare  triples  is  reduced  to  FOL  validity  by  applying  a 

predicate  transformer 


Dijkstra’s  weakest  liberal  pre-condition  calculus  [Dijkstra’75] 

wlp  (P,  Post) 


weakest  pre-condition  ensuring  that  executing  P  ends  in  Post 


{Pre}  P  {Post}  is  valid 

,  Pre )  wlp  (P,  Post) 

J 
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Horn  Clauses  by  Weakest  Liberal  Precondition 


Prog  =  def  Main(x)  {  bodyM } . def  P  (x)  {  bodyP } 

wlp  (x=E,  Q)  =  let  x=E  in  Q 
wlp  (assert  (E),Q)  =  E/EQ 
wlp  (assume(E),  Q)  =  E  ->•  Q 
wlp  (while  E  do  S,  Q)  =  l(w)  /E 

8w  .  ((I(w)  /E  E)  ->  wlp  (S,  l(w)))  /E  ((l(w)  /E  :E)  ->  Q)) 
wlp  (y  =  P(E),  Q)  =  Ppre(E)  /E  (8  r.  p(E,  r)  ->  Q[r/y]) 

ToHorn  (def  P(x)  {S})  =  wlp  (xO=x  ;  assume  (ppre(x));  S,  p(xO,  ret)) 
ToHorn  (Prog)  =  wlp  (MainQ,  true)  /E  8{P  2  Prog} .  ToHorn  (P) 
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Example  of  a  WLP  Horn  Encoding 


{Pre:  y,  0} 
x0  =  x; 

y0  =  y; 

while  y  >  0  do 

x  =  x+1; 

y  =  y-i; 

{Post:  x=x0+y0} 


Cl:  I(x,y,x,y)  A  y>=0. 

C2 :  I(x+l,y-l,x0,y0)  A  I(x,y,x0,y0),  y>0. 
C3:  false  A  I(x,y,x0Jy0) ,  y-0,  x*x0+y0 


{y  ,  0}  P  (x  =  x0id+y0id}  's  true  iff  the  query  C3  is  satisfiable 
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Dual  WLP 


Dual  weakest  liberal  pre-condition 

dual-wlp  (P,  Post)  =  :wlp  (P,  Post) 

s 2  dual-wlp  (P,  Post)  iff  there  exists  an  execution  of  P  that  starts  in  s 
and  ends  in  Post 

dual-wlp  (P,  Post)  is  the  weakest  condition  ensuring  that  an  execution 
of  P  can  reach  a  state  in  Post 
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Horn  Clauses  by  Dual  WLP 


Assumptions 

•  each  procedure  is  represent  by  a  control  flow  graph 

-  i.e.,  statements  of  the  form  IjiS  ;  goto  Ij ,  where  S  is  loop-free 

•  program  is  unsafe  iff  the  last  statement  of  Main()  is  reachable 

-  i.e.,  no  explicit  assertions.  All  assertions  are  top-level. 

For  each  procedure  P(x),  create  predicates 

•  l(w)  for  each  label,  pen(x0,x,w)  for  entry,  pex  (x  ,r)  for  exit 

The  verification  condition  is  a  conjunction  of  clauses: 

pen(x0,x)  A  x0=x 

li(x  ,w’)  A  lj(x  ,w)  /E  :wlp  (S,  :(w=w’)),  for  each  statement  ^  S;  goto  Ij 
P  (x0,r)  A  pex(x0,r) 
false  A  Mainex(x,  ret) 
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Example  Horn  Encoding 


int  x  =  1; 
int  y  —  0; 
while  (*)  { 

x  —  x  +  y\ 

y  =  y  + 1; 

} 

assert(x  >  y); 


(1)  Po- 

(2)  pi(x,  y)  •<— 

p0,x  =  1,2/  =  0. 

(3)  p2(^,y)  Pi  (a,  y)  . 

(4)  p3(x,2/)  Pi  (a;,  2/)  • 

(5)  pi (x',  2/0  <~ 

P2  (x,2/), 
x'  =  x  +  y1 
y'  =  y  +  l. 

(6)  p4  <-  (x  >  y),p3(x,y). 

(7)  Perr  (x  <  y),p3(x,y). 

(8)  P4  <—  P4- 

(9)  -L  ^  Perr- 
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Single  Static  Assignment 


SSA  ==  every  value  has  a  unique  assignment  (a  definition) 

A  procedure  is  in  SSA  form  if  every  variable  has  exactly  one  definition 

SSA  form  is  used  by  many  compilers 

•  explicit  def-use  chains 

•  simplifies  optimizations  and  improves  analyses 

PHI-function  are  necessary  to  maintain  unique  definitions  in  branching 
control  flow 

x  =  PHI  (  v0:bb0,  vn:bbn) )  (phi-assignment) 

“x  gets  V;  if  previously  executed  block  was  bb” 
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Large  Step  Encoding:  Single  Static  Assignment 


'  0: 

J  1: 

l 

goto  1 

\ 

\ 

x_0  =  PHI(0:0,  x_3 : 5 ) ; 
y_0  =  PHI(y :0j  y_l:5); 

J  int  x,  y,  n;  ", 

1 

if  (x_0  <  N)  goto  2  else 

goto  6  | 

,  1 

1  X  =  0;  1 

1  while  (x  <  N)  {  1 

1  if  (y  >  0)  1 

1  2: 

1 

if  (y_0  >  0)  goto  3  else 

goto  4  . 

1  ^  • 

■ 

x_l  =  x_0  +  y_0;  goto  5 

1  x  =  x  +  y: 

1  else  ! 

4: 

1 

x_2  =  x_0  -  y_0;  goto  5 

X 

ii 

X 

1 

V*  • 

1  5: 

x_3  =  PHI(x_l:3,  x_2:4); 

II 

* 

V*  • 

1 

y_l  =  -1  *  y_0; 

l  >  ' 

1 

goto  1 

1 

l  6: 

vj  • 

\  ^ _ ^  / 


-  Software  Engineering  Institute 


Carnegie  Mellon  University 


Building  Verifiers  from  Comp  and  SMT 
Gurfinkel,  2015 

©2015  Carnegie  Mellon  University 


Example:  Single  Static  Assignment 


/Int  Xj  y ,  n; 

I  x  =  0; 

I  while  (x  <  N)  { 
I  if  (y  >  0) 

I  x  =  x  +  y; 

1  else 

!  x  =  x  -  y; 
y  =  -1  *  y; 


/0:  goto  1  N 

|  1:  x_0  =  PHI(0:0,  x_3 : 5 ) ; 

(  y_0  =  PHI(y:0,  y_l:5); 

I  if  (x_0  <  N)  goto  2  else  goto  6 

2:  if  (y_0  >  0)  goto  3  else  goto  4 

I  3:  x_l  =  x_0  +  y_0;  goto  5 

_  4:  x_2  =  x_0  -  y_0;  goto  5 

,  5:  x_3  =  PHI(x_l:3,  x_2:4); 

I  y_l  =  -1  *  y_0; 

I  goto  1 

*  6: 

\  ^ _ ^  / 
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Example:  Large  Step  Encoding 


/■  0i  goto  1 — 

|  1:  x_0  =  PHI(0:0,  x_3 : 5 ) ; 

I  y_0  =  PHI(y:0,  y_l:5); 

I  if  (x_0  <  N)  goto  2  else  goto  6 

1  2:  if  (y_0  >  0)  goto  3  else  goto  4 

!  3:  x_l  =  x_0  +  y_0;  goto  5 

I  4:  x_2  =  x_0  -  y_0;  goto  5 


5:  x_3  =  PHI(x_l:3,  x_2:4); 

y_l  =  -1  *  y_0; 

- goto  1 — 


==r  Software  Engineering  Institute  Carnegie  Mellon  University 


Building  Verifiers  from  Comp  and  SMT 
Gurfinkel,  2015 

©2015  Carnegie  Mellon  University 


29 


Example:  Large  Step  Encoding 


x0  +  y0 

xe  -  y0 

-1  *  y0 

/ 

|  1:  x_0  =  PHI(0:0,  x_3 :  5 ) ; 
l  y_0  =  PHI(y:0,  y_l:5); 

1  if  (x  0  <  N)  goto  2  else 

1 

1  2:  if  (y_0  >  0)  goto  3  else 

1  3  :|  x_l  =  x_0  +  y_0 

goto  5 

1 

| 

1  4:|  x_2  =  x_0  -  y_0 

goto  5 

1 

1  5:  x  3  =  PHI(x  1:3, 

,  X  2:4); 

:  |y_i  - -1  *  y_e;| 

| 

,  goto  I 

\ 

V, 
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Example:  Large  Step  Encoding 


xi  =  xe  +  y0 

x2  =  xe  -  y0 
yi  =  -i  *  y@ 

B2  — ^  Xq  <  N 
B3  — >  B2  a  y0  >  0 


B, 


>4  ^  B2  a  y0  ^  0 

B5  — >  (B3  a  x3=x1)v 
(B4  a  x3=x2) 


B5  a  xj0=x3  a  y,0=y1 


y  - 


Pi(x’o-y’o)  A  P!  (x0,  y0),  A. 


/ 

I  l: 


x_0  =  PHI(0:0,  x_3 : 5 ) ; 
y_0  =  PHI(y:0,  y_l:5); 
if  (x_0  <  N)  goto  2  else  goto  6 


2:  if  (y_0  >  0)  goto  3  else  goto  4 

3:  x_l  =  x_0  +  y_0;  goto  5 

4:  x_2  =  x_0  -  y_0;  goto  5 

x_3  =  PHI(x_l:3,  x_2 :4) ; 
y_l  =  -1  *  y_0; 
goto  1 
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Mixed  Semantics 

PROGRAM  TRANSFORMATION 
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Deeply  nested  assertions 
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Deeply  nested  assertions 


N  A 


Assertion 


Counter-examples  are  long 

Hard  to  determine  (from  main)  what  is  relevant 
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Mixed  Semantics 


[GWC’08,LQ’14] 


Stack-free  program  semantics  combining: 

•  operational  (or  small-step)  semantics 

-  i.e.,  usual  execution  semantics 

•  natural  (or  big-step)  semantics:  function  summary  [Sharir-Pnueli  81] 

-  (3/4,  %')  2  ||f||  iff  the  execution  of  f  on  input  state  3A  terminates  and  results  in  state 

•  some  execution  steps  are  big,  some  are  small 

Non-deterministic  executions  of  function  calls 

•  update  top  activation  record  using  function  summary,  or 

•  enter  function  body,  forgetting  history  records  (i.e.,  no  return!) 

Preserves  reachability  and  non-termination 

Theorem:  Let  K  be  the  operational  semantics,  Km  the  stack-free  semantics, 
and  L  a  program  location.  Then, 

K  2  EF  (pc=L)  ,  Km  2  EF  (pc=L)  and  K  2  EG  (pc^L)  ,  Km  2  EG  (pc^L) 
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clef  main  (7 


1 

2 

3 

4 

5 

6 

7 

8 


int  x  =  nd(); 
x  =  x+1; 
while(x>=0) 
x=f(x); 
if (x<0) 
Error; 

END; 


x’  =nd() 


x’ =x+1 


def  f(int  y) :  ret  y  ^ 
9:  if (y , 10){ 

10:  y=y+l; 

ii:  y=f(y); 

12:  else  if(y>0) 

13:  y=y+i; 

14:  y=y-l 
15: 


Summary  of  f(y) 


(1x-9  /E  x’=x)  Q 


(x-0  /E  > 

:’=x-1) 

i 

1  x  <  0 

l 

1 

1 

\  X 

1 

l 

,  (1y-9  /E  y  =y)  ?i  \, 

l  r 

,  (y-O  rn  y  =y-1)  i  V 

8:  END 

7 

15 
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Mixed  Semantics  as  Program  Transformation 


main  () 

pi  0;  pi  0; 
assert  (cl); 
Pi  0 
p2  0; 
assert  (c2); 
P2  0 

assert  (c3); 


TYlCliThnew  () 

P^-entry  • 

P^-new  () 

if  (*)  §OtO  P^-entry] 

if  (*)  gOtO  P^entry] 

P^new  (); 

else  P^-new  ()  > 

else  p^new  (); 

assume  (c2); 

if  (*)  gOtO  P^-entry] 

if  (-«c2)  goto  error ; 

P^new  () 

else  plneio  ()j 

P^entry  • 

assume  (c3); 

if  (_|cl)  goto  error ; 

if  (_|c3)  goto  error ; 

assume  (false); 

assume  (false); 
error  :  assert  (false); 
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Implementing  Mixed  Semantics  in  LLVM 


Something  about  how  this  can  be  implemented  as  a  simple 
transformation  in  LLVM 


in  the  Lab,  show  how  to  do  this  transformation  by  hand  by  modifying  the 
bitcode  and  using  opt  to  execute  the  optimization 
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SOLVING  CHC  WITH  SMT 
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Programs,  Cexs,  Invariants 


A  program  P  =  (V,  I  nit,  V2,  Bad) 

•  Notation:  F(X)  =  9  u .  (X  /E  V2)  Q  Init 
P  is  UNSAFE  if  and  only  if  there  exists  a  number  N  s.t. 


'N-l 


Init(v 0)  A  f\  p(vi,vi+ 1)  A  Bad(vN)  ^  _L 


i= 0 


P  is  SAFE  if  and  only  if  there  exists  a  safe  inductive  invariant  Inv  s.t. 


Init(u )  Inv(u) 
Inv(u)  A  p(u,v )  =>  Inv(y ) 

Inv(u )  =^>  -1  Bad(u) 


Inductive 


Safe 
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IC3/PDR  Algorithm  Overview 


1 

2 

3 

4 

5 

6 

7 

8 


Input:  Transition  system  T  —  ( Init ,  Tr,Bad ) 
To  Init ;  TV  0 

repeat 

G  PdrMkSafe([F0,  . . . ,  Fjv],  Bad) 
if  G  =  [  ]  then  return  UNSAFE; 

VO  <  i  <  N  -  Fi  <-  G[i] 

F0,...,Fn<-  PdrPush ([F0,...,Fn]) 

//  Fq,  ,  P/v  is  a  safe  (5-trace 
if  30  <  i  <  N  ■  Fi  =  0  then  return  SAFE; 
N  <-  N  +  1 ;  Fn  <-  0 


9  until  oo; 


Aaron  R.  Bradley:SAT-Based  Model  Checking  without  Unrolling.  VMCAI  2011 :  70-87 
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IC3/PDR  in  Pictures 


PdrMkSafe 
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Frame  R0 


Frame  F^ 


lemma 


Trace 
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IC3/PDR  in  Pictures 


PdrPush 


Inductive 
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IC3/PDR  in  Pictures 


Inductive 


Software  Engineering  Institute  Carnegie  Mel 


o 


PDR  Invariants 

Rj  — ^  i  Rad  Init  — ^  Rj 

^i  ^i+1  ^  ^  ^i+1 
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Spacer:  Solving  CHC  in  Z3 


Spacer:  solver  for  SMT-constrained  Horn  Clauses 

•  stand-alone  implementation  in  a  fork  of  Z3 

•  http://bitbucket.org/soacer/code 

Support  for  Non-Linear  CHC 

•  model  procedure  summaries  in  inter-procedural  verification  conditions 

•  model  assume-guarantee  reasoning 

•  uses  MBP  to  under-approximate  models  for  finite  unfoldings  of  predicates 

•  uses  MAX-SAT  to  decide  on  an  unfolding  strategy 
Supported  SMT-Theories 

•  Best-effort  support  for  arbitrary  SMT-theories 

-  data-structures,  bit-vectors,  non-linear  arithmetic 

•  Full  support  for  Linear  arithmetic  (rational  and  integer) 

•  Quantifier-free  theory  of  arrays 

-  only  quantifier  free  models  with  limited  applications  of  array  equality 
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RESULTS 
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SV-COMP  2015 


http://sv-comp.sosv-lab.org/2015/ 


4th  Competition  on  Software  Verification  held  (here!)  at  TACAS  2015 
Goals 

•  Provide  a  snapshot  of  the  state-of-the-art  in  software  verification  to  the 
community. 

•  Increase  the  visibility  and  credits  that  tool  developers  receive. 

•  Establish  a  set  of  benchmarks  for  software  verification  in  the  community. 
Participants: 

•  Over  22  participants,  including  most  popular  Software  Model  Checkers  and 
Bounded  Model  Checkers 

Benchmarks: 

•  C  programs  with  error  location  (programs  include  pointers,  structures,  etc.) 

•  Over  6,000  files,  each  2K  -  1 00K  LOC 

•  Linux  Device  Drivers,  Product  Lines,  Regressions/Tricky  examples 

•  http://sv-comp.sosv-lab.org/2015/benchmarks.php 
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Time  in  s 


Results  for  DeviceDriver  category 


1000  F 

BLAST 
CBMC 
CPAchecker 
ESBMC 
100  t-  SeaHorn 
iSMACKCorral 
UAutomizer 
UKojak 


10  - 


* 


7^ 


500 


1 000  1 500 

Accumulated  score 


2000 


2500 
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Conclusion 


SeaHorn  (http://seahorn.qithub.io) 

•  a  state-of-the-art  Software  Model  Checker 

•  LLVM-based  front-end 

•  CHC-based  verification  engine 

•  a  framework  for  research  in  logic-based  verification 

The  future 

•  making  SeaHorn  useful  to  users  of  verification  technology 

-counterexamples,  build  integration,  property  specification,  proofs,  etc. 

•  targeting  many  existing  CHC  engines 

-  specialize  encoding  and  transformations  to  specific  engines 

-  communicate  results  between  engines 

•  richer  properties 

-termination,  liveness,  synthesis 
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